[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSe paration
From:       Steve <steve () videogroup ! com>
Date:       2002-06-27 13:15:02
[Download RAW message or body]

On Thursday 27 June 2002 01:45 am,  you wrote:
>ISS and Theo announced a *remote root exploit* in OpenSSH, not giving any
>information about mitigating factors or any other details. This is a very
>serious problem. And if there wasn't an exploit out in the wild already,
>after this announcement it is highly probable that it wouldn't take long for
>one to appear. On the black-hat side, that is.
>
>In the meantime, with the news being out, the only half-solution given was
>adopted by SuSE very quickly and released to its customers, not few of whom
>rely on OpenSSH to administer systems across the Internet.

Of course this is the ongoing discussion. Being that blackhats are amazingly 
able to dig out root exploits, the only way to stay ahead is to inform the 
community, and for the community to do daily security checking/patching.

As you noticed they released part of the exploit giving us the chance to 1) 
do a temporary change to get around it and 2) a patch to stop it. 3) Then the 
second half was released, also with a fix (V3.4).

>> I would wait until its official before getting all too
>> excited -perhaps look at
>> http://online.securityfocus.com/advisories/4230
>
>That's exactly what Olaf et al. checked out. I don't see your point. SuSE
>didn't claim that the new OpenSSH RPMs fix the problem, it was rather clear
>(at least to me) that they were 'only' patched so as to conform to Theo's
>recommended mitigator. I see nothing wrong with that. And if you know
>better, don't update your package, it's not like they're forcing you or
>anything. I think you'll agree that just because you've got a vendor, that
>doesn't mean you shouldn't try to make informed decisions of your own about
>your systems. But it's nice to have prompt assistance from the vendor, SuSE
>in this case.
>
>Tobias

-- 
 
Steve Szmidt
V.P. Information Technology
Video Group Distributors, Inc.


-- 
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

[prev in list] [next in list] [prev in thread] [next in thread]